Uploaded image for project: 'New Features 2017'
  1. New Features 2017
  2. NF-2965

[Security]-[Authorization Failure]-[Azure] Employee can access all Admin pages over the URL and able to update the customization/settings for those pages.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: High
    • Resolution: Bug Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: UI Refresh
    • Labels:
      None
    • Environment:
      Others
    • Bug Type:
      Functional
    • Bug Severity:
      Medium
    • Level:
      Admin
    • Module:
      Platform
    • Reported by:
      Harbinger
    • Company:
      All Clients/Multiple Clients
    • Item State:
      LB QA - In Testing
    • Issue Importance:
      Q2

      Description

      [Security]-[Authorization Failure] Employee can access all Admin pages over the URL and able to update the customization/settings for those pages.

      Environment : Azure
      Replication Steps:
      1. Login as Company Admin
      2. GO to Company Information Page.
      3. Copy the URL
      4. Login with Employee of same company in another browser.
      5. Paste the URL in employee's session.
      6. Access the Admin pages and try to update settings.

      Observed Same behavior on multiple pages like All tabs in Company Information, Manage Admin Users, Security Page, Site Branding and Themes etc.
      It seems that this issue is with all pages and necessary access level entries are missing.

      Expected Result:

      As soon as any admin level page URL is accessed by Employee Login it should show the Unauthorized Access page and restrict user for further actions.

      CC : Rakesh RoySachin HingoleHrishikesh DeshpandeVijay SiddhaVijayendra ShindeRohan J KhandaveBharti SatputeSamir

        Attachments

        1. AdminLogin.jpg
          AdminLogin.jpg
          162 kB
        2. Empl__CAPagesAdminUsers.jpg
          Empl__CAPagesAdminUsers.jpg
          124 kB
        3. Empl_Access_CAPagesCompInfo.jpg
          Empl_Access_CAPagesCompInfo.jpg
          135 kB
        4. EmployeeLoign.jpg
          EmployeeLoign.jpg
          148 kB
        5. PageLevelAccess.png
          PageLevelAccess.png
          139 kB

          Issue Links

            Activity

            prasadp Prasad Pise (Inactive) logged work - 07/Aug/17 02:09 PM
            • Time Spent:
              0.25h
               

              Sanity Test

            jayshree.nagpure Jayshree Nagpure (Inactive) logged work - 08/Aug/17 12:55 PM
            • Time Spent:
              1h
               

              Testing

            anirudha.joshi anirudha joshi (Inactive) logged work - 28/Nov/17 06:00 PM
            • Time Spent:
              5h
               

              Verified the defect on Azure. The issue still persists.
              Verified if the employee is able to access different links from partner login.

            vishal.yadav Vishal Yadav (Inactive) logged work - 29/Nov/17 09:28 AM
            • Time Spent:
              2h
               

              analysis
              code debugging
              verification on local and codemap
              Discussion with Ashwin for web.config file updation

            vishal.yadav Vishal Yadav (Inactive) logged work - 30/Nov/17 09:31 AM
            • Time Spent:
              1h
               

              Discussed with Khandu
              Checked web config on codemap.
              Web.config changes on Uirefresh-LB
              Testing

            prasadp Prasad Pise (Inactive) logged work - 23/Mar/18 01:04 PM
            • Time Spent:
              0.25h
               

              Verified on Production. Issue fixed

              People

              Assignee:
              prasadp Prasad Pise (Inactive)
              Reporter:
              prasadp Prasad Pise (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4h Original Estimate - 4h
                  4h
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 9.5h
                  9.5h